Reverse Engineering Stack Exchange is a question and answer site for researchers and developers who explore the principles of a system through analysis of its structure, function, and operation. Join them; it only takes a minute:

I'm trying to reverse engineering an android app API so this is what I tried:

First the app was using Okhttp certificate pinning and I couldn't track the URLs with Charles then I tried this method and now the tracking part is working but the request body is encrypted and I really can't understand the method of encryption because all of the requests have different length and its not like Base64 here like this example :

then I tried to rebuild the process of sending this endpoint to simulate the request and encryption but not only its so hard (Java decompiler and Jadx cant decompile all the methods and some of them have exception) but some the methods have bad parameters like this method :

1 Answer
1

JADX often provides inaccurate de-compilation output. You'll have to look at the smali in methods that you find inconsistent.
About the wrong parameter in the aa.a method, you'll have to check the smali to make sure you've got the right class and the right method because I never saw JADX get the types wrong.

Now, about the request body, it seems like it's the base64 of some encrypted bytes. If I were you I'd look for xrefs for the endpoint retro fit method, and see how the arguments are generated.
You could also try to hook the methods from the cipher class you found and compare that to what you see in the requests.